1
00:00:00,840 --> 00:00:08,760
Hi, within this lecture, we're going to try and hack into the server, we are using WordPress vulnerabilities

2
00:00:08,760 --> 00:00:11,220
or some kind of tricks over here.

3
00:00:11,580 --> 00:00:17,160
So what I'm going to do, I'm going to go into the library and see if we can upload something over here.

4
00:00:17,610 --> 00:00:24,450
The basic trick is that if you can upload a reverse over there, then you can get a shell back.

5
00:00:24,480 --> 00:00:28,650
This is what happens mainly in the WordPress sites.

6
00:00:28,980 --> 00:00:32,390
I'm going to try that, but I don't know if it's going to work or not.

7
00:00:32,670 --> 00:00:40,470
So I'm going to search for a reverse shell exploit or cheat sheet like we have done in the python before

8
00:00:40,500 --> 00:00:41,890
in the previous section.

9
00:00:42,270 --> 00:00:48,900
Now, of course, I'm going to go into the Panthers monkey one more time and say, yep, let's go over

10
00:00:48,900 --> 00:00:53,930
here and I'm just going to find the one liner.

11
00:00:54,210 --> 00:00:55,610
So this is good.

12
00:00:55,950 --> 00:01:04,290
And if you as you can see, it says as if you want to be able to upload KDDI more feature full and robust.

13
00:01:05,040 --> 00:01:11,160
Rochelle, this is just this is just a one liner that you run in the comment, OK, in the terminal.

14
00:01:11,940 --> 00:01:13,140
But we don't need that.

15
00:01:13,140 --> 00:01:20,460
We actually need a file to upload so that we can test if we can actually upload a PDF file to server.

16
00:01:20,910 --> 00:01:24,570
So come over here and just find the raw shell.

17
00:01:25,050 --> 00:01:31,490
And over there, I believe we should have some kind of download button over there.

18
00:01:31,800 --> 00:01:33,070
I says that changed.

19
00:01:33,090 --> 00:01:39,780
Don't forget to change the IBM part and listen with Nat Cat in another terminal and just make sure you

20
00:01:39,780 --> 00:01:41,930
run the code.

21
00:01:42,090 --> 00:01:42,740
I don't know.

22
00:01:42,750 --> 00:01:43,960
We can do that yet.

23
00:01:43,980 --> 00:01:45,370
We are going to try and see.

24
00:01:45,990 --> 00:01:49,250
So I'm going to download the reverse shell.

25
00:01:49,590 --> 00:01:54,690
So let's come over here and let's see.

26
00:01:54,690 --> 00:01:59,040
Let's go to Donalds and here we go.

27
00:01:59,040 --> 00:02:08,370
Let's see where this and and search for BB so I cannot seem to find it.

28
00:02:08,370 --> 00:02:08,550
Yeah.

29
00:02:08,550 --> 00:02:09,200
Here you go.

30
00:02:09,540 --> 00:02:15,120
And this is for some reason it's TR and G zip.

31
00:02:15,450 --> 00:02:19,440
Let me just take it into the CTF folder, OK?

32
00:02:19,800 --> 00:02:20,940
I'm there Mr. Robot.

33
00:02:20,940 --> 00:02:22,410
I'm going to paste is over here.

34
00:02:22,680 --> 00:02:24,570
So this is TR and G Zip.

35
00:02:25,230 --> 00:02:28,290
Let me try to just unzip it from here.

36
00:02:28,620 --> 00:02:36,090
Like we can use G Zip to just unzip this or let me just around the Lesli.

37
00:02:36,600 --> 00:02:36,900
Yeah.

38
00:02:36,900 --> 00:02:37,620
Here you go.

39
00:02:37,630 --> 00:02:41,490
This should have been Guiseppe but let me try this.

40
00:02:41,490 --> 00:02:46,920
So I'm going to write preoperational one point zero.

41
00:02:46,920 --> 00:02:48,060
Targett.

42
00:02:49,290 --> 00:02:49,610
Yeah.

43
00:02:49,620 --> 00:02:52,290
It says that it's already as.

44
00:02:52,770 --> 00:02:53,100
Yep.

45
00:02:53,130 --> 00:02:56,910
We have to specify we're going to decompiled this.

46
00:02:57,480 --> 00:03:00,180
It says that unexpected end of file.

47
00:03:00,750 --> 00:03:02,730
So let me double click on this one.

48
00:03:02,880 --> 00:03:03,260
Yep.

49
00:03:03,270 --> 00:03:04,650
It doesn't really work.

50
00:03:04,650 --> 00:03:07,710
It's it it is like an empty file.

51
00:03:07,950 --> 00:03:10,770
I believe there was something wrong with downloading it.

52
00:03:11,220 --> 00:03:13,260
So let me try this one more time.

53
00:03:13,260 --> 00:03:15,570
I'm going to try it too.

54
00:03:15,570 --> 00:03:19,410
But we don't have to for some reason.

55
00:03:19,830 --> 00:03:22,230
Let me just run give help and see.

56
00:03:22,770 --> 00:03:23,100
Yep.

57
00:03:23,100 --> 00:03:24,390
We are doing this right.

58
00:03:24,390 --> 00:03:26,250
We are decompressing this.

59
00:03:26,550 --> 00:03:30,240
I believe there is something wrong with the file itself.

60
00:03:30,600 --> 00:03:40,110
So let me try and figure out how to proceed over here so if we can try to download this one more time.

61
00:03:40,120 --> 00:03:40,920
And here you go.

62
00:03:41,130 --> 00:03:44,910
Karley says that this file contains malware.

63
00:03:44,910 --> 00:03:47,640
So I made it's unavailable.

64
00:03:47,640 --> 00:03:53,760
If you click on this icon over here, you can just say open it will open that file for you.

65
00:03:53,950 --> 00:03:58,170
OK, so Khalid thought that this is a malware or something like that.

66
00:03:58,350 --> 00:04:05,070
So I'm going to delete it, but just take this reverse shell out of it and put it over the folder over

67
00:04:05,070 --> 00:04:06,390
here, OK?

68
00:04:06,630 --> 00:04:08,700
So we don't need the rest of it.

69
00:04:08,820 --> 00:04:15,300
I'm going to just move trash and come over here and find your file.

70
00:04:15,570 --> 00:04:20,070
I opened this with any kind of editor like Leaf Pad or anything.

71
00:04:20,070 --> 00:04:26,730
You are really I'm going to choose GenY, but you can't even open this with Nano itself, OK?

72
00:04:26,850 --> 00:04:31,680
Because all we need to do is just change the IP address and change the portal address.

73
00:04:32,310 --> 00:04:33,630
So far, the IP address.

74
00:04:33,840 --> 00:04:40,740
I'm going to write my own callisthenics IP address, which is ten or two for my case, and I'm not going

75
00:04:40,740 --> 00:04:42,000
to even change the port.

76
00:04:42,000 --> 00:04:45,840
So the part is one, two, three, four, which is perfectly fine for me.

77
00:04:46,620 --> 00:04:51,690
So I'm going to close this down and I have a few virtual over here.

78
00:04:52,170 --> 00:04:59,220
So if I can run this on the WordPress, then I will get I can run this on the server that holds the

79
00:04:59,220 --> 00:04:59,850
WordPress.

80
00:05:00,150 --> 00:05:06,690
I can get a back, so let me see if I can upload this to the WordPress, I'm going to come over here

81
00:05:06,690 --> 00:05:11,300
to Mr. Robot and find my shell and just double click on it.

82
00:05:11,640 --> 00:05:12,530
And here you go.

83
00:05:12,540 --> 00:05:18,020
It says that this file type is not permitted for security reasons, which makes sense.

84
00:05:18,420 --> 00:05:25,290
So I'm going to copy this one and pasted over here and try to just play with it a little bit.

85
00:05:25,920 --> 00:05:32,420
What we can do, we can just rename this, OK, and change the extension a little bit.

86
00:05:32,430 --> 00:05:36,380
I'm going to call this my shoulder that Panji.

87
00:05:37,080 --> 00:05:42,090
So it looks like a PNG file, but it's actually a file.

88
00:05:42,540 --> 00:05:47,340
Even though we can upload this, maybe it won't get run by the server.

89
00:05:47,580 --> 00:05:49,060
But again, it's worth a shot.

90
00:05:49,380 --> 00:05:50,070
Here you go.

91
00:05:50,070 --> 00:05:51,840
It doesn't let us do that.

92
00:05:52,110 --> 00:05:58,290
So, again, even though this is a PNG extension, it doesn't allow us to upload this.

93
00:05:58,530 --> 00:06:02,040
So I'm going to go to Google and just find a jetpack or PNG file.

94
00:06:02,040 --> 00:06:06,140
I'm going to search for Metallica since this is my favorite band.

95
00:06:06,170 --> 00:06:09,140
You can do this with your own favorite band as well.

96
00:06:09,510 --> 00:06:12,180
I'm going to just save an image over here.

97
00:06:12,390 --> 00:06:18,390
I'm going to call this Metallica DOT GPG and apparently I already have mine downloads.

98
00:06:18,870 --> 00:06:27,150
So let me come over here and find that, OK, and try to see if we can actually upload anything over

99
00:06:27,150 --> 00:06:27,620
here.

100
00:06:27,870 --> 00:06:29,610
And apparently, yeah, we can.

101
00:06:30,060 --> 00:06:38,280
So as you can see, this picture got uploaded to the server and we cannot do that.

102
00:06:38,280 --> 00:06:41,160
We cannot just upload files over here.

103
00:06:41,760 --> 00:06:51,200
So I'm going to change this to something like that jpg to see if there is something wrong with the PMG

104
00:06:51,210 --> 00:06:55,620
file and if it's OK with the jpg file.

105
00:06:56,100 --> 00:07:00,070
I'm going to come over here and just choose this one.

106
00:07:00,330 --> 00:07:00,900
Here you go.

107
00:07:00,900 --> 00:07:01,940
It doesn't let us.

108
00:07:02,190 --> 00:07:04,470
So the filtering works very well.

109
00:07:04,470 --> 00:07:08,250
As you can see, it doesn't let us upload files.

110
00:07:08,610 --> 00:07:14,190
So what I'm going to do, I'm going to go for a previous to editor and I'm just going to change the

111
00:07:14,730 --> 00:07:15,760
codes themselves.

112
00:07:15,780 --> 00:07:22,690
OK, so I'm going to just change the codes and just copy and paste my reverse Sharlto here.

113
00:07:23,280 --> 00:07:31,350
So over here, we're going to have to find a thing like a Futer or 404 template in order to paste our

114
00:07:31,350 --> 00:07:40,050
code so it won't get recognized by editor or it won't get recognized by the developer and gets called.

115
00:07:40,050 --> 00:07:44,430
It gets executed every time we visit the WordPress page.

116
00:07:44,440 --> 00:07:44,930
Right.

117
00:07:45,510 --> 00:07:51,930
So something like futer or you can just put it in the 404 template and just go for a page that doesn't

118
00:07:51,930 --> 00:07:52,530
exist.

119
00:07:52,860 --> 00:07:54,680
It's a good strategy as well.

120
00:07:55,050 --> 00:07:59,490
So I'm going to come over here to our Web server, which is 10 to 15.

121
00:07:59,910 --> 00:08:07,950
And over here we don't even see something like WordPress, like real WordPress blog or something like

122
00:08:07,950 --> 00:08:08,190
that.

123
00:08:08,190 --> 00:08:08,510
Right.

124
00:08:08,820 --> 00:08:15,600
So maybe we can try to find something related to WordPress so that we can get to see the folder and

125
00:08:15,600 --> 00:08:16,160
header.

126
00:08:16,680 --> 00:08:18,270
So let me see.

127
00:08:18,280 --> 00:08:20,250
This is futer that BHP.

128
00:08:20,700 --> 00:08:32,460
OK, and there is an archive that comments that BHP Wicken just tried to go to for for or maybe we can

129
00:08:32,460 --> 00:08:35,430
just trigger this from the server as well.

130
00:08:35,710 --> 00:08:40,650
What we really need to do is just find an optimized place to put this code into.

131
00:08:40,830 --> 00:08:43,170
So I'm just going to try with Futer, OK?

132
00:08:43,350 --> 00:08:46,900
And we can just come over here and just run the footer that bad.

133
00:08:46,980 --> 00:08:48,390
Here you go, Bluck.

134
00:08:48,690 --> 00:08:49,170
Right.

135
00:08:49,470 --> 00:08:54,950
So we can just reload this file and see if this works or not.

136
00:08:55,410 --> 00:08:59,540
So before reloading, of course, we're going to change the content of this futer.

137
00:09:00,060 --> 00:09:02,580
So this is the folder itself.

138
00:09:02,580 --> 00:09:04,810
I believe it really doesn't matter.

139
00:09:04,830 --> 00:09:12,180
All I'm going to do, I'm just going to copy the reverse code and pasted over here and see if that works

140
00:09:12,180 --> 00:09:12,750
or not.

141
00:09:13,440 --> 00:09:21,900
And you can just delete this folder that, OK, I'm just going to copy this so that if we get if we

142
00:09:21,900 --> 00:09:25,650
break something, we can just always come back and pasted back.

143
00:09:26,010 --> 00:09:30,090
I'm going to put it under my notes that Texte OK?

144
00:09:30,120 --> 00:09:34,820
And I'm just going to pasted over here if I can.

145
00:09:35,430 --> 00:09:35,970
Nope.

146
00:09:36,060 --> 00:09:37,860
Let me try one more time.

147
00:09:38,670 --> 00:09:39,040
Nope.

148
00:09:39,060 --> 00:09:40,110
It doesn't work.

149
00:09:40,110 --> 00:09:42,110
Let me try basically Bourdier.

150
00:09:42,110 --> 00:09:42,690
Here you go.

151
00:09:42,690 --> 00:09:49,620
It works now this is over here so if I break something I can go back and just take it from there.

152
00:09:50,250 --> 00:09:53,640
Now let me delete everything here, OK.

153
00:09:53,640 --> 00:09:59,670
Delete everything in the future and just open my reverse shell and copy.

154
00:09:59,810 --> 00:10:08,220
Everything from here and say copy and just come back and pasted over there, so my future is over show

155
00:10:08,240 --> 00:10:08,880
right now.

156
00:10:09,530 --> 00:10:13,790
So if I can update this file, as you can see, it says file, isn't it?

157
00:10:13,790 --> 00:10:14,710
Successfully.

158
00:10:15,200 --> 00:10:20,730
Then let me just try and listen for incoming connections from part one, two, three, four.

159
00:10:21,140 --> 00:10:23,750
OK, so we're doing that with Nat Cat.

160
00:10:24,170 --> 00:10:26,540
And let me just refresh this.

161
00:10:26,930 --> 00:10:27,920
And here you go.

162
00:10:27,920 --> 00:10:32,960
The Futer disappeared, but it should send the connection back.

163
00:10:32,960 --> 00:10:34,560
And here you go.

164
00:10:34,880 --> 00:10:36,610
We are inside of the server.

165
00:10:36,620 --> 00:10:39,210
We managed to check the server if I on it.

166
00:10:39,620 --> 00:10:42,930
We are Dayman and if we are on, who am I?

167
00:10:42,950 --> 00:10:43,680
Here you go.

168
00:10:44,000 --> 00:10:45,610
Of course we are not rude.

169
00:10:46,460 --> 00:10:50,450
It is not wise to expect to be rude when you first take into.

170
00:10:50,690 --> 00:10:53,510
But we are going to try and escalate our privileges.

171
00:10:53,510 --> 00:10:53,860
Right.

172
00:10:54,230 --> 00:10:55,310
So here you go.

173
00:10:55,310 --> 00:11:02,360
We can see some files we can browse here because see what kind of things there are inside of the ETSI

174
00:11:02,360 --> 00:11:06,190
password is stuff, but we hacked into the server.

175
00:11:06,210 --> 00:11:07,570
That's what's important.

176
00:11:08,090 --> 00:11:14,510
I'm going to stop here and within the next lecture we we can see what we are going to do to escalate

177
00:11:14,510 --> 00:11:16,370
our privileges and become route.